Supply Chain Attack: RustDoor Malware Introduced through Courtroom Software Backdoor

Backdoored, Courtroom Software, RustDoor Malware, Supply Chain Attack

Supply Chain Attack: Malware Discovered in Courtroom Video Recording Software

In a recent incident, cybersecurity firm Rapid7 discovered a supply chain attack that involved malware being delivered through a backdoored installer associated with courtroom video recording software developed by Justice AV Solutions (JAVS). The attack, tracked as CVE-2024-4978, impacted JAVS Viewer v8.3.7, a component of the JAVS Suite 8 software.

The JAVS Viewer software allows users to create, manage, publish, and view digital recordings of courtroom proceedings, business meetings, and city council sessions. The malicious actors behind the attack backdoored the installer, which resulted in the delivery of malware associated with a known backdoor called RustDoor.

Rapid7 initiated an investigation after discovering a malicious executable called “fffmpeg.exe” in the Windows installation folder of the JAVS Viewer software. The executable was found to be associated with the binary named “JAVS Viewer Setup,” which was downloaded from the official JAVS site on March 5, 2024. The installer was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe, which executed encoded PowerShell scripts.

Upon execution, fffmpeg.exe established contact with a command-and-control (C&C) server using Windows sockets and WinHTTP requests. It sent information about the compromised host and awaited further instructions from the server. The malware also attempted to bypass Antimalware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) by running obfuscated PowerShell scripts. It then downloaded an additional payload disguised as an installer for Google Chrome from a remote server.

The downloaded binary, named “chrome_installer.exe,” contained code to drop Python scripts and another executable called “main.exe.” The purpose of “main.exe” was to gather credentials from web browsers. However, Rapid7’s analysis found software bugs that prevented it from functioning properly.

RustDoor, the backdoor malware associated with the supply chain attack, was first documented by Bitdefender earlier in February. Initially targeting Apple macOS devices, RustDoor masqueraded as an update for Microsoft Visual Studio and was used in likely targeted attacks using job offering lures. Subsequent analysis by South Korean cybersecurity company S2W revealed a Windows version of the malware named GateDoor, which was programmed in Golang.

S2W researchers noted that both RustDoor and GateDoor have been distributed under the guise of normal program updates or utilities. The malware families share overlapping endpoints used to communicate with the C&C server and have similar functions. There is evidence connecting the malware to a ransomware-as-a-service (RaaS) affiliate called ShadowSyndicate. However, it is also possible that the malware developers are collaborators providing infrastructure to other actors.

This supply chain attack involving a trojanized JAVS Viewer installer distributing the Windows version of RustDoor was previously flagged by S2W on April 2, 2024, in a post on a social media platform. The method used to breach the vendor’s site and make the malicious installer available for download is currently unknown.

Upon being informed of the issue, JAVS took immediate action. The company identified a potential security issue with JAVS Viewer version 8.3.7 and removed the impacted version from its website. They also reset all passwords and conducted a full audit of their systems. JAVS emphasized that no source code, certificates, systems, or other software releases were compromised in the incident. They highly encouraged all users to verify that JAVS has digitally signed any software they install.

In light of this supply chain attack, users of JAVS Viewer are advised to check for indicators of compromise (IoCs). If infected, it is recommended to completely re-image all affected endpoints, reset credentials, and update to the latest version of JAVS Viewer.

It is crucial for organizations to remain vigilant and protect their software supply chains from potential attacks. By conducting regular security audits, implementing secure development practices, and monitoring for suspicious activities, organizations can strengthen their defenses against supply chain attacks. Additionally, users should always verify the authenticity of software installers and ensure they are obtained from trusted sources.

Source link

Leave a Comment